marsstealer | a1caccbf827324ede6a7c2c1701a9939404a60a5f37e4b8d75046f80070eea0a

Analysis

max time kernel
47s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
submitted
11-08-2022 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader175205.exe

Score

10^/10

marsstealer default discovery spyware stealer

Malware Config

Extracted

Family

marsstealer

Botnet

Default

54.159.203.55/Zamena.php

Signatures

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Executes dropped EXE 1 IoCs

pid	Process
4848	INST.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	INST.exe

Loads dropped DLL 7 IoCs

pid	Process
4744	loader175205.exe
4744	loader175205.exe
4744	loader175205.exe
4848	INST.exe
4848	INST.exe
4848	INST.exe
4848	INST.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	INST.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	INST.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3052	timeout.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 4744	3136	loader175205.exe	81
PID 3136 wrote to memory of 4744	3136	loader175205.exe	81
PID 4744 wrote to memory of 4884	4744	loader175205.exe	82
PID 4744 wrote to memory of 4884	4744	loader175205.exe	82
PID 4744 wrote to memory of 4944	4744	loader175205.exe	83
PID 4744 wrote to memory of 4944	4744	loader175205.exe	83
PID 4944 wrote to memory of 4848	4944	cmd.exe	84
PID 4944 wrote to memory of 4848	4944	cmd.exe	84
PID 4944 wrote to memory of 4848	4944	cmd.exe	84
PID 4848 wrote to memory of 3652	4848	INST.exe	94
PID 4848 wrote to memory of 3652	4848	INST.exe	94
PID 4848 wrote to memory of 3652	4848	INST.exe	94
PID 3652 wrote to memory of 3052	3652	cmd.exe	96
PID 3652 wrote to memory of 3052	3652	cmd.exe	96
PID 3652 wrote to memory of 3052	3652	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\loader175205.exe
"C:\Users\Admin\AppData\Local\Temp\loader175205.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Users\Admin\AppData\Local\Temp\loader175205.exe
  "C:\Users\Admin\AppData\Local\Temp\loader175205.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c echo %temp%
    3⤵
    PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\INST.exe
      C:\Users\Admin\AppData\Local\Temp\INST.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\INST.exe" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:3052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe

Filesize
159KB

MD5
9eb30306051d5319b828be74762268e6

SHA1
88db00b1524bbb4cb23eb540167a50bfb4b77e03

SHA256
b4f03a6e742a4fb4d6d00486d6bc381dc65a9c2573085849b40450da46d47ade

SHA512
e980748b653d60b4a475cec9109e537f75543001b66c5fb21a6ccbef5cf534b630e3ad7a17ed2988fd88d5ae5d9c8aeff1b142c48d3efd11671cee098c3d7252

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe

Filesize
159KB

MD5
9eb30306051d5319b828be74762268e6

SHA1
88db00b1524bbb4cb23eb540167a50bfb4b77e03

SHA256
b4f03a6e742a4fb4d6d00486d6bc381dc65a9c2573085849b40450da46d47ade

SHA512
e980748b653d60b4a475cec9109e537f75543001b66c5fb21a6ccbef5cf534b630e3ad7a17ed2988fd88d5ae5d9c8aeff1b142c48d3efd11671cee098c3d7252

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31362\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31362\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31362\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31362\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31362\base_library.zip

Filesize
1008KB

MD5
83c8fd1ecade22691bc9df596ccd8660

SHA1
1321c16e193a541c160ad67168b5777196efdc60

SHA256
6d4627111a5dfbd2c339ead617a9a78d93146bd868a7aeecf8e56fb59734331b

SHA512
93c6c0f9b225502219d049ec86e44289ca04f9db12651577f6be528c5a12fa62ac32bfb8674b2f562dbca7cced2f3757a08290579f8daed6d926bf11a522f297

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31362\python38.dll

Filesize
4.0MB

MD5
26ba25d468a778d37f1a24f4514d9814

SHA1
b64fe169690557656ede3ae50d3c5a197fea6013

SHA256
2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128

SHA512
80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31362\python38.dll

Filesize
4.0MB

MD5
26ba25d468a778d37f1a24f4514d9814

SHA1
b64fe169690557656ede3ae50d3c5a197fea6013

SHA256
2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128

SHA512
80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31362\ucrtbase.dll

Filesize
971KB

MD5
bd8b198c3210b885fe516500306a4fcf

SHA1
28762cb66003587be1a59c2668d2300fce300c2d

SHA256
ce2621719f1358508c2c33bcc1380d78a737ca20cd18c0ac89f38e1be788d9a2

SHA512
c32b6c083d3a7da01085718e5685e9a04034be91251c065794ceef1dfaaf6573fdd845cbc84e926ab3f510d295649cb6e497564fbe52cc79c053357c645c11a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31362\ucrtbase.dll

Filesize
971KB

MD5
bd8b198c3210b885fe516500306a4fcf

SHA1
28762cb66003587be1a59c2668d2300fce300c2d

SHA256
ce2621719f1358508c2c33bcc1380d78a737ca20cd18c0ac89f38e1be788d9a2

SHA512
c32b6c083d3a7da01085718e5685e9a04034be91251c065794ceef1dfaaf6573fdd845cbc84e926ab3f510d295649cb6e497564fbe52cc79c053357c645c11a5

Download Submit
memory/4848-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4848-146-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4848-170-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads